OSVDB 119342, 119323 NetCat CMS Multiple HTTP Response Splitting (CRLF) Web Security Vulnerabilities

netcat_1

 

OSVDB 119342, 119323 NetCat CMS Multiple HTTP Response Splitting (CRLF) Web Security Vulnerabilities

 

Exploit Title: NetCat CMS Multiple CRLF Security Vulnerabilities

Product: NetCat CMS (Content Management System)

Vendor: NetCat

Vulnerable Versions: 5.01 3.12 3.0 2.4 2.3 2.2 2.1 2.0 1.1

Tested Version: 3.12

Advisory Publication: March 07, 2015

Latest Update: March 07, 2015

Vulnerability Type: Improper Neutralization of CRLF Sequences (‘CRLF Injection’) [CWE-93]

CVE Reference: *

OSVDB Reference: 119342, 119343

Impact CVSS Severity (version 2.0):

CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)

Impact Subscore: 2.9

Exploitability Subscore: 8.6

CVSS Version 2 Metrics:

Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism

Access Complexity: Medium

Authentication: Not required to exploit

Impact Type: Allows unauthorized modification

Discover and Author: Jing Wang, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)

 

 

 

 

Advisory Details:



(1) Vendor & Product Description:



Vendor:

NetCat

 

Product & Version:

NetCat

5.01 3.12 3.0 2.4 2.3 2.2 2.1 2.0 1.1

 

Vendor URL & Download:

NetCat can be got from here,

http://netcat.ru/

 

Product Introduction:

NetCat.ru is russian local company. “NetCat designed to create an absolute majority of the types of sites: from simple “business card” with a minimum content to complex web-based systems, from corporate offices to online stores, libraries or media data – in other words, projects completely different directions and at any level of complexity. View examples of sites running on NetCat CMS can be in a special section.”

“Manage the site on the basis of NetCat can even inexperienced user, because it does not require knowledge of Internet technologies, programming and markup languages. NetCat constantly improving, adds new features. In the process of finalizing necessarily take into account the wishes of our partners and clients, as well as trends in Internet development. More than 2,000 studios and private web developers have chosen for their projects is NetCat, and in 2013 sites, successfully working on our CMS, created more than 18,000.”

 

 

 

(2) Vulnerability Details:

NetCat web application has a computer security bug problem. It can be exploited by HTTP Response Splitting (CRLF) attacks. This could allow a remote attacker to insert arbitrary HTTP headers, which are included in a response sent to the server. If an application does not properly filter such a request, it could be used to inject additional headers that manipulate cookies, authentication status, or more.

Several other similar products 0-day vulnerabilities have been found by some other bug hunter researchers before. NetCat has patched some of them. CXSECurity is a huge collection of information on data communications safety. Its main objective is to inform about errors in various applications. It also publishes suggestions, advisories, solutions details related to CRLF vulnerabilities and cyber intelligence recommendations.

(2.1) The first code flaw occurs at “/post.php” page with “redirect_url” parameter by adding “%0d%0a%20”.

(2.2) The second code flaw occurs at “redirect.php?” page with “url” parameter by adding “%0d%0a%20”.

 

 

 

 

Reference:
http://www.osvdb.org/show/osvdb/119342
http://www.osvdb.org/show/osvdb/119343
http://lists.openwall.net/full-disclosure/2015/03/07/3
http://seclists.org/fulldisclosure/2015/Mar/36
http://marc.info/?l=full-disclosure&m=142576233403004&w=4
https://www.mail-archive.com/fulldisclosure%40seclists.org/msg01768.html
http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1676
http://securityrelated.blogspot.com/2015/03/netcat-cms-multiple-http-response.html
http://essayjeans.blog.163.com/blog/static/23717307420155142423197/
http://computerobsess.blogspot.com/2015/06/osvdb-119342-netcat-crlf.html
http://diebiyi.com/articles/bugs/netcat-cms-crlf
http://tetraph.blog.163.com/blog/static/234603051201551423749286/
https://webtechwire.wordpress.com/2015/03/14/osvdb-119342-netcat-crlf/
https://itswift.wordpress.com/2015/03/07/netcat-cms-multiple
http://tetraph.com/security/http-response-splitting-vulnerability/netcat-cms-multiple
http://www.inzeed.com/kaleidoscope/computer-web-security/netcat-cms

FC2 Online Web Service Open Redirect (Unvalidated Redirects and Forwards) Cyber Security Vulnerabilities

fc2_com_2

FC2 Online Web Service Open Redirect (Unvalidated Redirects and Forwards) Cyber Security Vulnerabilities

Domain:
fc2.com

“FC2 (founded July 20, 1999) is a popular Japanese blogging host, the third most popular video hosting service in Japan (after YouTube and Niconico), and a web hosting company headquartered in Las Vegas, Nevada. It is the sixth most popular website in Japan overall (as of January 2014). FC2 is an abbreviation of “Fantastic Kupi-Kupi (クピクピ)”. It is known to allow controversial adult content such as pornography and hate speech (unlike many of its competitors). The company uses rented office space for its headquarters which it shares with many other U.S.-based businesses. It also pays taxes in the United States. The physical servers are located in the United States. However, it is believed that the majority of the company and its users (including employees) are located within Japan” (Wikipedia)

The Alexa rank of fc2.com is 52 on February 18 2015. It is the toppest Japanese local website sevice.

(1) Vulnerability Description:

FC2 online web service has a computer cyber security bug problem. It can be exploited by Open Redirect (Unvalidated Redirects and Forwards) attacks. Here is the description of Open Redirect: “An open redirect is an application that takes a parameter and redirects a user to the parameter value without any validation. This vulnerability is used in phishing attacks to get users to visit malicious sites without realizing it.” One consequences of it is Phishing. (OWASP)

The program code flaw can be attacked without user login. Tests were performed on Microsoft IE (9 9.0.8112.16421) of Windows 7, Mozilla Firefox (37.0.2) & Google Chromium 42.0.2311 (64-bit) of Ubuntu (14.04.2),Apple Safari 6.1.6 of Mac OS X v10.9 Mavericks.

In fact, during the test, it is not hard to find URL Redirection bugs in FC2. Maybe fc2.com pays little attention to mitigate these Vulnerabilities. These bugs were found by using URFDS.

(2) Use one of webpages for the following tests. The webpage address is “http://securitypost.tumblr.com/“. Can suppose that this webpage is malicious.

Vulnerability Disclosure:
Those vulnerabilities were reported to Rakuten, they are still unpatched.

Discover and Reporter:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)
http://www.tetraph.com/wangjing

==================

FC2オンラインWebサービスオープンリダイレクト(未検証のリダイレクトとフォワード)サイバー·セキュリティの脆弱性

ドメイン:
fc2.com

(1999年7月20日に設立)」FC2は、日本の人気ブログのホスト、(YouTubeやニコニコ後)は、日本で3番目に人気のビデオホスティングサービス、およびラスベガス、ネバダ州に本社を置くウェブホスティング会社です。それは第六最も人気のあります日本のウェブサイトは、全体的な。(2014年1月のように)FC2はの略で、「ファンタスティックKupi-Kupi(クピクピ)」。このようなポルノのような論争のアダルトコンテンツを許可し、(競合他社の多くとは異なり)スピーチを憎むことが知られています。」 (ウィキペディア)

fc2.comのAlexaのランクはそれがtoppest日本のローカルウェブサイトの流通サービスである2月18日2015年52あります。

(1)脆弱性の説明:

FC2オンラインWebサービスは、コンピュータのサイバーセキュリティバグの問題があります。それは、オープンリダイレクト(未検証のリダイレクトとフォワード)攻撃によって悪用される可能性があります。ここでオープンリダイレクトの説明は次のとおりです。「オープンリダイレクトがパラメータを受け取り、何の検証も行わずにパラメータ値にユーザーをリダイレクトするアプリケーションです。この脆弱性は、それを実現することなく、悪質なサイトを訪問するユーザーを取得するためにフィッシング攻撃で使用されています。。 “それの一つの結果はフィッシングで​​す。 (OWASP)

プログラムコードの欠陥は、ユーザのログインなしで攻撃される可能性があります。テストは、Windows 7のMicrosoftのIE(9 9.0.8112.16421)で行われた、Mozilla Firefoxの(37.0.2)&グーグルクロム42.0.2311のUbuntuの(64ビット)(14.04.2)はMac OSのアップルのSafari 6.1.6 X v10.9マーベリックス。

実際には、テスト時には、FC2内のURLリダイレクトのバグを見つけることは難しいことではありません。多分fc2.comは、これらの脆弱性を軽減するためにはほとんど注意を払っています。

(2)以下の試験のためのWebページのいずれかを使用します。ウェブページアドレスは「http://securitypost.tumblr.com/」です。このウェブページに悪意であるとすることができます。

脆弱性の公開:
これらの脆弱性は楽天に報告された、彼らはまだパッチを適用していないです。

発見し、レポーター:
王ジン (Wang Jing)、数理科学研究部門(MAS)、物理的および数理科学科(SPMS)、南洋理工大学(NTU)、シンガポール。 (@justqdjing
http://www.tetraph.com/wangjing

Google DoubleClick Website System Could be Used by Spammers

google_2

 

Google DoubleClick.net (Advertising) System URL Redirection Vulnerabilities Could Be Used by Spammers

 

Although Google does not include Open Redirect vulnerabilities in its bug bounty program, its preventive measures against Open Redirect attacks have been quite thorough and effective to date.

 

However, Google might have overlooked the security of its DoubleClick.net ​advertising system. After some test, it is found that most of the redirection URLs within DoubleClick.net are vulnerable to Open Redirect vulnerabilities. Many redirection are likely to be affected. This could allow a user to create a specially crafted URL, that if clicked, would redirect a victim from the intended legitimate web site to an arbitrary web site of the attacker’s choosing. Such attacks are useful as the crafted URL initially appear to be a web page of a trusted site. This could be leveraged to direct an unsuspecting user to a web page containing attacks that target client side software such as a web browser or document rendering programs.

 

These redirections can be easily used by spammers, too.

 

Some URLs belong to Googleads.g.Doubleclick.net are vulnerable to Open Redirect attacks, too. While Google prevents similar URL redirections other than Googleads.g.Doubleclick.net. Attackers can use URLs related to Google Account to make the attacks more powerful.

 

Moreover, these vulnerabilities can be used to attack other companies such as Google, eBay, The New York Times, Amazon, Godaddy, Yahoo, Netease, e.g. by bypassing their Open Redirect filters (Covert Redirect). These cyber security security bug problems have not been patched. Other similar web and computer attacks will be published in the near future.

 

 

Discover and Reporter:
Jing Wang, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)
http://www.tetraph.com/wangjing/

 

 

 

(1) Background Related to Google DoubleClick.net.

(1.1) What is DoubleClick.net?

DoubleClick is a subsidiary of Google which develops and provides Internet ad serving services. Its clients include agencies, marketers (Universal McCann, AKQA etc.) and publishers who serve customers like Microsoft, General Motors, Coca-Cola, Motorola, L’Oréal, Palm, Inc., Apple Inc., Visa USA, Nike, Carlsberg among others. DoubleClick’s headquarters is in New York City, United States.

 

DoubleClick was founded in 1996 by Kevin O’Connor and Dwight Merriman. It was formerly listed as “DCLK” on the NASDAQ, and was purchased by private equity firms Hellman & Friedman and JMI Equity in July 2005. In March 2008, Google acquired DoubleClick for US$3.1 billion. Unlike many other dot-com companies, it survived the dot-com bubble and focuses on uploading ads and reporting their performance.” (Wikipedia)

 

(1.2) Reports Related to Google DoubleClick.net Used by Spammers

(1.2.1)

Google DoublClick.net has been used by spammers for long time. The following is a report in 2008.

 

“The open redirect had become popular with spammers trying to lure users into clicking their links, as they could be made to look like safe URLs within Google’s domain.”
https://www.virusbtn.com/blog/2008/06_03a.xml?comments

 

(1.2.2)

Mitechmate published a blog related to DoubleClick.net spams in 2014.

 

Ad.doubleclick.net is recognized as a perilous adware application that causes unwanted redirections when surfing on the certain webpages. Actually it is another browser hijacker that aims to distribute frauds to make money.Commonly people pick up Ad.doubleclick virus when download softwares, browse porn site or read spam email attachments. It enters into computer sneakily after using computer insecurely.Ad.doubleclick.net is not just annoying, this malware traces users’ personal information, which would be utilized for cyber criminal.”
http://blog.mitechmate.com/remove-ad-doubleclick-net-redirect-virus/

 

(1.2.3)

Malwarebytes posted a news related to DoubleClick.net malvertising in 2014.

 

 

(2) DoubleClick.net System URL Redirection Vulnerabilities Details.

The vulnerabilities can be attacked without user login. Tests were performed on Microsoft IE (10.0.9200.16750) of Windows 8, Mozilla Firefox (34.0) & Google Chromium 39.0.2171.65-0 ubuntu0.14.04.1.1064 (64-bit) of Ubuntu (14.04),Apple Safari 6.1.6 of Mac OS X Lion 10.7.

 

Used webpages for the following tests. The webpage address is “http://securitypost.tumblr.com/“. We can suppose that this webpage is malicious.

 

 

(2.1) Vulnerable URLs Related to Googleads.g.Doubleclick.net.

(2.1.1)

Some URLs belong to googleads.g.doubleclick.net are vulnerable to Open Redirect attacks. While Google prevents similar URL redirection other than googleads.g.doubleclick.net.

 

Vulnerable URLs:

 

POC:

 

Attackers can make use of the following URLs to make the attacks more powerful, i.e.

 

POC:

 

 

(2.1.2)

While Google prevents similar URL redirection other than googleads.g.doubleclick.net , e.g.

 

 

 

(2.2) Vulnerable URLs Related to DoubleClick.net.

Vulnerable URLs 1:

 

POC:

 

Vulnerable URLs 2:

 

POC:

 

Vulnerable URLs 3:

 

POC:

 

 

We can see that Google DoubleClick.net has Open Redirect vulnerabilities and could be misused by spammers.

 

 

 

(2.3)

 

Several other similar products 0-day vulnerabilities have been found by some other bug hunter researchers before. Google has patched some of them. BugTraq is a full disclosure moderated mailing list for the *detailed* discussion and announcement of computer security vulnerabilities: what they are, how to exploit them, and how to fix them. The below things be posted to the Bugtraq list: (a) Information on computer or network related security vulnerabilities (UNIX, Windows NT, or any other). (b) Exploit programs, scripts or detailed processes about the above. (c) Patches, workarounds, fixes. (d) Announcements, advisories or warnings. (e) Ideas, future plans or current works dealing with computer/network security. (f) Information material regarding vendor contacts and procedures. (g) Individual experiences in dealing with above vendors or security organizations. (h) Incident advisories or informational reporting. (i) New or updated security tools. A large number of the fllowing web securities have been published here, Buffer overflow, HTTP Response Splitting (CRLF), CMD Injection, SQL injection, Phishing, Cross-site scripting, CSRF, Cyber-attack, Unvalidated Redirects and Forwards, Information Leakage, Denial of Service, File Inclusion, Weak Encryption, Privilege Escalation, Directory Traversal, HTML Injection, Spam. It also publishes suggestions, advisories, solutions details related to Open Redirect vulnerabilities and cyber intelligence recommendations.

 

 

 

(3) Google DoubleClick.net Can Adversely Affect Other Websites.

At the same time, Google DoubleClick.net can be used to do “Covert Redirect” to other websites, such as Google, eBay, The New York Times, etc.(Bypass other websites’ Open Redirect filters)

 

 

(3.1) Google Covert Redirect Vulnerability Based on Googleads.g.doubleclick.net

Domain:
google.com

 

“Google is an American multinational technology company specializing in Internet-related services and products. These include online advertising technologies, search, cloud computing, and software. Most of its profits are derived from AdWords, an online advertising service that places advertising near the list of search results. Google was founded by Larry Page and Sergey Brin while they were Ph.D. students at Stanford University. Together they own about 14 percent of its shares but control 56 percent of the stockholder voting power through supervoting stock. They incorporated Google as a privately held company on September 4, 1998. An initial public offering followed on August 19, 2004. Its mission statement from the outset was “to organize the world’s information and make it universally accessible and useful,” and its unofficial slogan was “Don’t be evil”. In 2004, Google moved to its new headquarters in Mountain View, California, nicknamed the Googleplex. The corporation has been estimated to run more than one million servers in data centers around the world (as of 2007). It processes over one billion search requests and about 24 petabytes of user-generated data each day (as of 2009). In December 2013, Alexa listed google.com as the most visited website in the world. Numerous Google sites in other languages figure in the top one hundred, as do several other Google-owned sites such as YouTube and Blogger. Its market dominance has led to prominent media coverage, including criticism of the company over issues such as search neutrality, copyright, censorship, and privacy.” (Wikipedia)

 

Vulnerable URL:

 

POC:

 

More Details:

 

 

(3.2) eBay Covert Redirect Vulnerability Based on Googleads.g.doubleclick.net

Domain:
ebay.com

 

“eBay Inc. (stylized as ebay) is an American multinational corporation and e-commerce company, providing consumer to consumer & business to consumer sales services via Internet. It is headquartered in San Jose, California, United States. eBay was founded by Pierre Omidyar in 1995, and became a notable success story of the dot-com bubble. Today, it is a multi-billion dollar business with operations localized in over thirty countries. The company manages eBay.com, an online auction and shopping website in which people and businesses buy and sell a broad variety of goods and services worldwide. In addition to its auction-style sales, the website has since expanded to include “Buy It Now” shopping; shopping by UPC, ISBN, or other kind of SKU (via Half.com); online classified advertisements (via Kijiji or eBay Classifieds); online event ticket trading (via StubHub); online money transfers (via PayPal) and other services. It is not a free website, but charges users an invoice fee when sellers have sold or listed any items.” (Wikipedia)

 

Vulnerable URL:

 

POC:

 

More Details:

 

 

(3.3) The New York Times (Nytimes.com) Covert Redirect Vulnerability Based on Google Doubleclick.net

Domain:
nytimes.com

 

“The New York Times (NYT) is an American daily newspaper, founded and continuously published in New York City since September 18, 1851, by the New York Times Company. It has won 114 Pulitzer Prizes, more than any other news organization. The paper’s print version has the largest circulation of any metropolitan newspaper in the United States, and the second-largest circulation overall, behind The Wall Street Journal. It is ranked 39th in the world by circulation. Following industry trends, its weekday circulation has fallen to fewer than one million daily since 1990. Nicknamed for years as “The Gray Lady”, The New York Times is long regarded within the industry as a national “newspaper of record”. It is owned by The New York Times Company. Arthur Ochs Sulzberger, Jr., (whose family (Ochs-Sulzberger) has controlled the paper for five generations, since 1896), is both the paper’s publisher and the company’s chairman. Its international version, formerly the International Herald Tribune, is now called the International New York Times.” (Wikipedia)

 

Vulnerable URL:

 

POC:

 

More Details:

 

These vulnerabilities were reported to Google earlier in 2014. But it seems that Google has yet taken any actions. All of the vulnerabilities are still not patched.

 

 

 

 

Related Posts:
http://seclists.org/fulldisclosure/2014/Nov/28
https://cxsecurity.com/issue/WLB-2014110106
http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1192
https://www.mail-archive.com/fulldisclosure%40seclists.org/msg01307.html
http://computerobsess.blogspot.com/2014/11/google-doubleclicknetadvertising-system.html=
http://www.techenet.com/2014/12/doubleclick-do-google-pode-ser-vulneravel-a-ataques/
https://computertechhut.wordpress.com/2014/11/12/google-doubleclick-spam/
http://mathpost.tumblr.com/post/120760828940/tetraph-google-doubleclick-net-advertising
http://tetraph.com/security/open-redirect/google-doubleclick-netadvertising-system
https://www.facebook.com/essayjeans/posts/838922772865543
https://plus.google.com/u/0/+essayjeans/posts/Y12x6gXfyFX
http://mathstopic.blogspot.com/2015/06/google-doubleclick-spam.html
http://itsecurity.lofter.com/post/1cfbf9e7_72fe79f
https://twitter.com/essayjeans/status/606726247578636288
http://tetraph.tumblr.com/post/120760676767/google-doubleclick-net-advertising-system-url
https://itinfotechnology.wordpress.com/2014/11/18/google-doubleclick-spam/
https://www.facebook.com/permalink.php?story_fbid=945171075538075
http://guyuzui.lofter.com/post/1ccdcda4_7305f25
http://tetraph.blog.163.com/blog/static/23460305120155534216326/
http://www.inzeed.com/kaleidoscope/spamming/google-doubleclick-spam/